crypto/elliptic: use generics for nistec-based curves

There was no way to use an interface because the methods on the Point types return concrete Point values, as they should. A couple somewhat minor annoyances: - Allocations went up due to #48849. This is fine here, where math/big causes allocations anyway, but would probably not be fine in nistec itself. - Carrying the newPoint/newGenerator functions around as a field is a little weird, even if type-safe. It also means we have to make what were functions methods so they can access newPoint to return the zero value. This is #35966. For #52182 Change-Id: I050f3a27f15d3f189818da80da9de0cba0548931 Reviewed-on: https://go-review.googlesource.com/c/go/+/360015 Reviewed-by: Ian Lance Taylor <iant@google.com> Run-TryBot: Filippo Valsorda <filippo@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Russ Cox <rsc@golang.org>
author: Filippo Valsorda <filippo@golang.org> 2021-10-30 02:01:35 -0400
committer: Filippo Valsorda <filippo@golang.org> 2022-04-27 14:22:53 +0000
commit: 83ff0b0c61c6ae99a058c851f4b0680064d46e8b (patch)
tree: 4eb31aa54eb89da6e42c998705bb493c4355fbd6
parent: 6796a7924c20d2c58b0cf78766b94543abfadc1b (diff)
download: go-83ff0b0c61c6ae99a058c851f4b0680064d46e8b.tar.gz
go-83ff0b0c61c6ae99a058c851f4b0680064d46e8b.zip
4 files changed, 219 insertions, 448 deletions
diff --git a/src/crypto/elliptic/nistec.go b/src/crypto/elliptic/nistec.go
new file mode 100644
index 0000000000..b4ecd95f7f
--- /dev/null
+++ b/src/crypto/elliptic/nistec.go
@@ -0,0 +1,219 @@
+// Copyright 2013 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package elliptic
+
+import (
+	"crypto/elliptic/internal/nistec"
+	"crypto/rand"
+	"math/big"
+)
+
+var p224 = &nistCurve[*nistec.P224Point]{
+	newPoint:     nistec.NewP224Point,
+	newGenerator: nistec.NewP224Generator,
+}
+
+func initP224() {
+	p224.params = &CurveParams{
+		Name:    "P-224",
+		BitSize: 224,
+		// FIPS 186-4, section D.1.2.2
+		P:  bigFromDecimal("26959946667150639794667015087019630673557916260026308143510066298881"),
+		N:  bigFromDecimal("26959946667150639794667015087019625940457807714424391721682722368061"),
+		B:  bigFromHex("b4050a850c04b3abf54132565044b0b7d7bfd8ba270b39432355ffb4"),
+		Gx: bigFromHex("b70e0cbd6bb4bf7f321390b94a03c1d356c21122343280d6115c1d21"),
+		Gy: bigFromHex("bd376388b5f723fb4c22dfe6cd4375a05a07476444d5819985007e34"),
+	}
+}
+
+var p384 = &nistCurve[*nistec.P384Point]{
+	newPoint:     nistec.NewP384Point,
+	newGenerator: nistec.NewP384Generator,
+}
+
+func initP384() {
+	p384.params = &CurveParams{
+		Name:    "P-384",
+		BitSize: 384,
+		// FIPS 186-4, section D.1.2.4
+		P: bigFromDecimal("394020061963944792122790401001436138050797392704654" +
+			"46667948293404245721771496870329047266088258938001861606973112319"),
+		N: bigFromDecimal("394020061963944792122790401001436138050797392704654" +
+			"46667946905279627659399113263569398956308152294913554433653942643"),
+		B: bigFromHex("b3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088" +
+			"f5013875ac656398d8a2ed19d2a85c8edd3ec2aef"),
+		Gx: bigFromHex("aa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741" +
+			"e082542a385502f25dbf55296c3a545e3872760ab7"),
+		Gy: bigFromHex("3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da31" +
+			"13b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f"),
+	}
+}
+
+var p521 = &nistCurve[*nistec.P521Point]{
+	newPoint:     nistec.NewP521Point,
+	newGenerator: nistec.NewP521Generator,
+}
+
+func initP521() {
+	p521.params = &CurveParams{
+		Name:    "P-521",
+		BitSize: 521,
+		// FIPS 186-4, section D.1.2.5
+		P: bigFromDecimal("68647976601306097149819007990813932172694353001433" +
+			"0540939446345918554318339765605212255964066145455497729631139148" +
+			"0858037121987999716643812574028291115057151"),
+		N: bigFromDecimal("68647976601306097149819007990813932172694353001433" +
+			"0540939446345918554318339765539424505774633321719753296399637136" +
+			"3321113864768612440380340372808892707005449"),
+		B: bigFromHex("0051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8" +
+			"b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef" +
+			"451fd46b503f00"),
+		Gx: bigFromHex("00c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f8" +
+			"28af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf9" +
+			"7e7e31c2e5bd66"),
+		Gy: bigFromHex("011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817" +
+			"afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088" +
+			"be94769fd16650"),
+	}
+}
+
+// nistCurve is a Curve implementation based on a nistec Point.
+//
+// It's a wrapper that exposes the big.Int-based Curve interface and encodes the
+// legacy idiosyncrasies it requires, such as invalid and infinity point
+// handling.
+//
+// To interact with the nistec package, points are encoded into and decoded from
+// properly formatted byte slices. All big.Int use is limited to this package.
+// Encoding and decoding is 1/1000th of the runtime of a scalar multiplication,
+// so the overhead is acceptable.
+type nistCurve[Point nistPoint[Point]] struct {
+	newPoint     func() Point
+	newGenerator func() Point
+	params       *CurveParams
+}
+
+// nistPoint is a generic constraint for the nistec Point types.
+type nistPoint[T any] interface {
+	Bytes() []byte
+	SetBytes([]byte) (T, error)
+	Add(T, T) T
+	Double(T) T
+	ScalarMult(T, []byte) T
+}
+
+func (curve *nistCurve[Point]) Params() *CurveParams {
+	return curve.params
+}
+
+func (curve *nistCurve[Point]) IsOnCurve(x, y *big.Int) bool {
+	// IsOnCurve is documented to reject (0, 0), the conventional point at
+	// infinity, which however is accepted by pointFromAffine.
+	if x.Sign() == 0 && y.Sign() == 0 {
+		return false
+	}
+	_, ok := curve.pointFromAffine(x, y)
+	return ok
+}
+
+func (curve *nistCurve[Point]) pointFromAffine(x, y *big.Int) (p Point, ok bool) {
+	// (0, 0) is by convention the point at infinity, which can't be represented
+	// in affine coordinates. Marshal incorrectly encodes it as an uncompressed
+	// point, which SetBytes would correctly reject. See Issue 37294.
+	if x.Sign() == 0 && y.Sign() == 0 {
+		return curve.newPoint(), true
+	}
+	if x.Sign() < 0 || y.Sign() < 0 {
+		return curve.newPoint(), false
+	}
+	if x.BitLen() > curve.params.BitSize || y.BitLen() > curve.params.BitSize {
+		return *new(Point), false
+	}
+	p, err := curve.newPoint().SetBytes(Marshal(curve, x, y))
+	if err != nil {
+		return *new(Point), false
+	}
+	return p, true
+}
+
+func (curve *nistCurve[Point]) pointToAffine(p Point) (x, y *big.Int) {
+	out := p.Bytes()
+	if len(out) == 1 && out[0] == 0 {
+		// This is the correct encoding of the point at infinity, which
+		// Unmarshal does not support. See Issue 37294.
+		return new(big.Int), new(big.Int)
+	}
+	x, y = Unmarshal(curve, out)
+	if x == nil {
+		panic("crypto/elliptic: internal error: Unmarshal rejected a valid point encoding")
+	}
+	return x, y
+}
+
+// randomPoint returns a random point on the curve. It's used when Add,
+// Double, or ScalarMult are fed a point not on the curve, which is undefined
+// behavior. Originally, we used to do the math on it anyway (which allows
+// invalid curve attacks) and relied on the caller and Unmarshal to avoid this
+// happening in the first place. Now, we just can't construct a nistec Point
+// for an invalid pair of coordinates, because that API is safer. If we panic,
+// we risk introducing a DoS. If we return nil, we risk a panic. If we return
+// the input, ecdsa.Verify might fail open. The safest course seems to be to
+// return a valid, random point, which hopefully won't help the attacker.
+func (curve *nistCurve[Point]) randomPoint() (x, y *big.Int) {
+	_, x, y, err := GenerateKey(curve, rand.Reader)
+	if err != nil {
+		panic("crypto/elliptic: failed to generate random point")
+	}
+	return x, y
+}
+
+func (curve *nistCurve[Point]) Add(x1, y1, x2, y2 *big.Int) (*big.Int, *big.Int) {
+	p1, ok := curve.pointFromAffine(x1, y1)
+	if !ok {
+		return curve.randomPoint()
+	}
+	p2, ok := curve.pointFromAffine(x2, y2)
+	if !ok {
+		return curve.randomPoint()
+	}
+	return curve.pointToAffine(p1.Add(p1, p2))
+}
+
+func (curve *nistCurve[Point]) Double(x1, y1 *big.Int) (*big.Int, *big.Int) {
+	p, ok := curve.pointFromAffine(x1, y1)
+	if !ok {
+		return curve.randomPoint()
+	}
+	return curve.pointToAffine(p.Double(p))
+}
+
+func (curve *nistCurve[Point]) ScalarMult(Bx, By *big.Int, scalar []byte) (*big.Int, *big.Int) {
+	p, ok := curve.pointFromAffine(Bx, By)
+	if !ok {
+		return curve.randomPoint()
+	}
+	return curve.pointToAffine(p.ScalarMult(p, scalar))
+}
+
+func (curve *nistCurve[Point]) ScalarBaseMult(scalar []byte) (*big.Int, *big.Int) {
+	p := curve.newGenerator()
+	return curve.pointToAffine(p.ScalarMult(p, scalar))
+}
+
+func bigFromDecimal(s string) *big.Int {
+	b, ok := new(big.Int).SetString(s, 10)
+	if !ok {
+		panic("invalid encoding")
+	}
+	return b
+}
+
+func bigFromHex(s string) *big.Int {
+	b, ok := new(big.Int).SetString(s, 16)
+	if !ok {
+		panic("invalid encoding")
+	}
+	return b
+}
diff --git a/src/crypto/elliptic/p224.go b/src/crypto/elliptic/p224.go
deleted file mode 100644
index 8a431c4769..0000000000
--- a/src/crypto/elliptic/p224.go
+++ /dev/null
@@ -1,139 +0,0 @@
-// Copyright 2013 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package elliptic
-
-import (
-	"crypto/elliptic/internal/nistec"
-	"crypto/rand"
-	"math/big"
-)
-
-// p224Curve is a Curve implementation based on nistec.P224Point.
-//
-// It's a wrapper that exposes the big.Int-based Curve interface and encodes the
-// legacy idiosyncrasies it requires, such as invalid and infinity point
-// handling.
-//
-// To interact with the nistec package, points are encoded into and decoded from
-// properly formatted byte slices. All big.Int use is limited to this package.
-// Encoding and decoding is 1/1000th of the runtime of a scalar multiplication,
-// so the overhead is acceptable.
-type p224Curve struct {
-	params *CurveParams
-}
-
-var p224 p224Curve
-var _ Curve = p224
-
-func initP224() {
-	p224.params = &CurveParams{
-		Name:    "P-224",
-		BitSize: 224,
-		// FIPS 186-4, section D.1.2.2
-		P:  bigFromDecimal("26959946667150639794667015087019630673557916260026308143510066298881"),
-		N:  bigFromDecimal("26959946667150639794667015087019625940457807714424391721682722368061"),
-		B:  bigFromHex("b4050a850c04b3abf54132565044b0b7d7bfd8ba270b39432355ffb4"),
-		Gx: bigFromHex("b70e0cbd6bb4bf7f321390b94a03c1d356c21122343280d6115c1d21"),
-		Gy: bigFromHex("bd376388b5f723fb4c22dfe6cd4375a05a07476444d5819985007e34"),
-	}
-}
-
-func (curve p224Curve) Params() *CurveParams {
-	return curve.params
-}
-
-func (curve p224Curve) IsOnCurve(x, y *big.Int) bool {
-	// IsOnCurve is documented to reject (0, 0), the conventional point at
-	// infinity, which however is accepted by p224PointFromAffine.
-	if x.Sign() == 0 && y.Sign() == 0 {
-		return false
-	}
-	_, ok := p224PointFromAffine(x, y)
-	return ok
-}
-
-func p224PointFromAffine(x, y *big.Int) (p *nistec.P224Point, ok bool) {
-	// (0, 0) is by convention the point at infinity, which can't be represented
-	// in affine coordinates. Marshal incorrectly encodes it as an uncompressed
-	// point, which SetBytes would correctly reject. See Issue 37294.
-	if x.Sign() == 0 && y.Sign() == 0 {
-		return nistec.NewP224Point(), true
-	}
-	if x.Sign() < 0 || y.Sign() < 0 {
-		return nil, false
-	}
-	if x.BitLen() > 224 || y.BitLen() > 224 {
-		return nil, false
-	}
-	p, err := nistec.NewP224Point().SetBytes(Marshal(P224(), x, y))
-	if err != nil {
-		return nil, false
-	}
-	return p, true
-}
-
-func p224PointToAffine(p *nistec.P224Point) (x, y *big.Int) {
-	out := p.Bytes()
-	if len(out) == 1 && out[0] == 0 {
-		// This is the correct encoding of the point at infinity, which
-		// Unmarshal does not support. See Issue 37294.
-		return new(big.Int), new(big.Int)
-	}
-	x, y = Unmarshal(P224(), out)
-	if x == nil {
-		panic("crypto/elliptic: internal error: Unmarshal rejected a valid point encoding")
-	}
-	return x, y
-}
-
-// p224RandomPoint returns a random point on the curve. It's used when Add,
-// Double, or ScalarMult are fed a point not on the curve, which is undefined
-// behavior. Originally, we used to do the math on it anyway (which allows
-// invalid curve attacks) and relied on the caller and Unmarshal to avoid this
-// happening in the first place. Now, we just can't construct a nistec.P224Point
-// for an invalid pair of coordinates, because that API is safer. If we panic,
-// we risk introducing a DoS. If we return nil, we risk a panic. If we return
-// the input, ecdsa.Verify might fail open. The safest course seems to be to
-// return a valid, random point, which hopefully won't help the attacker.
-func p224RandomPoint() (x, y *big.Int) {
-	_, x, y, err := GenerateKey(P224(), rand.Reader)
-	if err != nil {
-		panic("crypto/elliptic: failed to generate random point")
-	}
-	return x, y
-}
-
-func (p224Curve) Add(x1, y1, x2, y2 *big.Int) (*big.Int, *big.Int) {
-	p1, ok := p224PointFromAffine(x1, y1)
-	if !ok {
-		return p224RandomPoint()
-	}
-	p2, ok := p224PointFromAffine(x2, y2)
-	if !ok {
-		return p224RandomPoint()
-	}
-	return p224PointToAffine(p1.Add(p1, p2))
-}
-
-func (p224Curve) Double(x1, y1 *big.Int) (*big.Int, *big.Int) {
-	p, ok := p224PointFromAffine(x1, y1)
-	if !ok {
-		return p224RandomPoint()
-	}
-	return p224PointToAffine(p.Double(p))
-}
-
-func (p224Curve) ScalarMult(Bx, By *big.Int, scalar []byte) (*big.Int, *big.Int) {
-	p, ok := p224PointFromAffine(Bx, By)
-	if !ok {
-		return p224RandomPoint()
-	}
-	return p224PointToAffine(p.ScalarMult(p, scalar))
-}
-
-func (p224Curve) ScalarBaseMult(scalar []byte) (*big.Int, *big.Int) {
-	p := nistec.NewP224Generator()
-	return p224PointToAffine(p.ScalarMult(p, scalar))
-}
diff --git a/src/crypto/elliptic/p384.go b/src/crypto/elliptic/p384.go
deleted file mode 100644
index 33a441d090..0000000000
--- a/src/crypto/elliptic/p384.go
+++ /dev/null
@@ -1,144 +0,0 @@
-// Copyright 2013 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package elliptic
-
-import (
-	"crypto/elliptic/internal/nistec"
-	"crypto/rand"
-	"math/big"
-)
-
-// p384Curve is a Curve implementation based on nistec.P384Point.
-//
-// It's a wrapper that exposes the big.Int-based Curve interface and encodes the
-// legacy idiosyncrasies it requires, such as invalid and infinity point
-// handling.
-//
-// To interact with the nistec package, points are encoded into and decoded from
-// properly formatted byte slices. All big.Int use is limited to this package.
-// Encoding and decoding is 1/1000th of the runtime of a scalar multiplication,
-// so the overhead is acceptable.
-type p384Curve struct {
-	params *CurveParams
-}
-
-var p384 p384Curve
-var _ Curve = p384
-
-func initP384() {
-	p384.params = &CurveParams{
-		Name:    "P-384",
-		BitSize: 384,
-		// FIPS 186-4, section D.1.2.4
-		P: bigFromDecimal("394020061963944792122790401001436138050797392704654" +
-			"46667948293404245721771496870329047266088258938001861606973112319"),
-		N: bigFromDecimal("394020061963944792122790401001436138050797392704654" +
-			"46667946905279627659399113263569398956308152294913554433653942643"),
-		B: bigFromHex("b3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088" +
-			"f5013875ac656398d8a2ed19d2a85c8edd3ec2aef"),
-		Gx: bigFromHex("aa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741" +
-			"e082542a385502f25dbf55296c3a545e3872760ab7"),
-		Gy: bigFromHex("3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da31" +
-			"13b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f"),
-	}
-}
-
-func (curve p384Curve) Params() *CurveParams {
-	return curve.params
-}
-
-func (curve p384Curve) IsOnCurve(x, y *big.Int) bool {
-	// IsOnCurve is documented to reject (0, 0), the conventional point at
-	// infinity, which however is accepted by p384PointFromAffine.
-	if x.Sign() == 0 && y.Sign() == 0 {
-		return false
-	}
-	_, ok := p384PointFromAffine(x, y)
-	return ok
-}
-
-func p384PointFromAffine(x, y *big.Int) (p *nistec.P384Point, ok bool) {
-	// (0, 0) is by convention the point at infinity, which can't be represented
-	// in affine coordinates. Marshal incorrectly encodes it as an uncompressed
-	// point, which SetBytes would correctly reject. See Issue 37294.
-	if x.Sign() == 0 && y.Sign() == 0 {
-		return nistec.NewP384Point(), true
-	}
-	if x.Sign() < 0 || y.Sign() < 0 {
-		return nil, false
-	}
-	if x.BitLen() > 384 || y.BitLen() > 384 {
-		return nil, false
-	}
-	p, err := nistec.NewP384Point().SetBytes(Marshal(P384(), x, y))
-	if err != nil {
-		return nil, false
-	}
-	return p, true
-}
-
-func p384PointToAffine(p *nistec.P384Point) (x, y *big.Int) {
-	out := p.Bytes()
-	if len(out) == 1 && out[0] == 0 {
-		// This is the correct encoding of the point at infinity, which
-		// Unmarshal does not support. See Issue 37294.
-		return new(big.Int), new(big.Int)
-	}
-	x, y = Unmarshal(P384(), out)
-	if x == nil {
-		panic("crypto/elliptic: internal error: Unmarshal rejected a valid point encoding")
-	}
-	return x, y
-}
-
-// p384RandomPoint returns a random point on the curve. It's used when Add,
-// Double, or ScalarMult are fed a point not on the curve, which is undefined
-// behavior. Originally, we used to do the math on it anyway (which allows
-// invalid curve attacks) and relied on the caller and Unmarshal to avoid this
-// happening in the first place. Now, we just can't construct a nistec.P384Point
-// for an invalid pair of coordinates, because that API is safer. If we panic,
-// we risk introducing a DoS. If we return nil, we risk a panic. If we return
-// the input, ecdsa.Verify might fail open. The safest course seems to be to
-// return a valid, random point, which hopefully won't help the attacker.
-func p384RandomPoint() (x, y *big.Int) {
-	_, x, y, err := GenerateKey(P384(), rand.Reader)
-	if err != nil {
-		panic("crypto/elliptic: failed to generate random point")
-	}
-	return x, y
-}
-
-func (p384Curve) Add(x1, y1, x2, y2 *big.Int) (*big.Int, *big.Int) {
-	p1, ok := p384PointFromAffine(x1, y1)
-	if !ok {
-		return p384RandomPoint()
-	}
-	p2, ok := p384PointFromAffine(x2, y2)
-	if !ok {
-		return p384RandomPoint()
-	}
-	return p384PointToAffine(p1.Add(p1, p2))
-}
-
-func (p384Curve) Double(x1, y1 *big.Int) (*big.Int, *big.Int) {
-	p, ok := p384PointFromAffine(x1, y1)
-	if !ok {
-		return p384RandomPoint()
-	}
-	return p384PointToAffine(p.Double(p))
-}
-
-func (p384Curve) ScalarMult(Bx, By *big.Int, scalar []byte) (*big.Int, *big.Int) {
-	p, ok := p384PointFromAffine(Bx, By)
-	if !ok {
-		return p384RandomPoint()
-	}
-	return p384PointToAffine(p.ScalarMult(p, scalar))
-}
-
-func (p384Curve) ScalarBaseMult(scalar []byte) (*big.Int, *big.Int) {
-	p := nistec.NewP384Generator()
-	return p384PointToAffine(p.ScalarMult(p, scalar))
-}
diff --git a/src/crypto/elliptic/p521.go b/src/crypto/elliptic/p521.go
deleted file mode 100644
index 6a3ade3c36..0000000000
--- a/src/crypto/elliptic/p521.go
+++ /dev/null
@@ -1,165 +0,0 @@
-// Copyright 2013 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package elliptic
-
-import (
-	"crypto/elliptic/internal/nistec"
-	"crypto/rand"
-	"math/big"
-)
-
-// p521Curve is a Curve implementation based on nistec.P521Point.
-//
-// It's a wrapper that exposes the big.Int-based Curve interface and encodes the
-// legacy idiosyncrasies it requires, such as invalid and infinity point
-// handling.
-//
-// To interact with the nistec package, points are encoded into and decoded from
-// properly formatted byte slices. All big.Int use is limited to this package.
-// Encoding and decoding is 1/1000th of the runtime of a scalar multiplication,
-// so the overhead is acceptable.
-type p521Curve struct {
-	params *CurveParams
-}
-
-var p521 p521Curve
-var _ Curve = p521
-
-func initP521() {
-	p521.params = &CurveParams{
-		Name:    "P-521",
-		BitSize: 521,
-		// FIPS 186-4, section D.1.2.5
-		P: bigFromDecimal("68647976601306097149819007990813932172694353001433" +
-			"0540939446345918554318339765605212255964066145455497729631139148" +
-			"0858037121987999716643812574028291115057151"),
-		N: bigFromDecimal("68647976601306097149819007990813932172694353001433" +
-			"0540939446345918554318339765539424505774633321719753296399637136" +
-			"3321113864768612440380340372808892707005449"),
-		B: bigFromHex("0051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8" +
-			"b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef" +
-			"451fd46b503f00"),
-		Gx: bigFromHex("00c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f8" +
-			"28af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf9" +
-			"7e7e31c2e5bd66"),
-		Gy: bigFromHex("011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817" +
-			"afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088" +
-			"be94769fd16650"),
-	}
-}
-
-func (curve p521Curve) Params() *CurveParams {
-	return curve.params
-}
-
-func (curve p521Curve) IsOnCurve(x, y *big.Int) bool {
-	// IsOnCurve is documented to reject (0, 0), the conventional point at
-	// infinity, which however is accepted by p521PointFromAffine.
-	if x.Sign() == 0 && y.Sign() == 0 {
-		return false
-	}
-	_, ok := p521PointFromAffine(x, y)
-	return ok
-}
-
-func p521PointFromAffine(x, y *big.Int) (p *nistec.P521Point, ok bool) {
-	// (0, 0) is by convention the point at infinity, which can't be represented
-	// in affine coordinates. Marshal incorrectly encodes it as an uncompressed
-	// point, which SetBytes would correctly reject. See Issue 37294.
-	if x.Sign() == 0 && y.Sign() == 0 {
-		return nistec.NewP521Point(), true
-	}
-	if x.Sign() < 0 || y.Sign() < 0 {
-		return nil, false
-	}
-	if x.BitLen() > 521 || y.BitLen() > 521 {
-		return nil, false
-	}
-	p, err := nistec.NewP521Point().SetBytes(Marshal(P521(), x, y))
-	if err != nil {
-		return nil, false
-	}
-	return p, true
-}
-
-func p521PointToAffine(p *nistec.P521Point) (x, y *big.Int) {
-	out := p.Bytes()
-	if len(out) == 1 && out[0] == 0 {
-		// This is the correct encoding of the point at infinity, which
-		// Unmarshal does not support. See Issue 37294.
-		return new(big.Int), new(big.Int)
-	}
-	x, y = Unmarshal(P521(), out)
-	if x == nil {
-		panic("crypto/elliptic: internal error: Unmarshal rejected a valid point encoding")
-	}
-	return x, y
-}
-
-// p521RandomPoint returns a random point on the curve. It's used when Add,
-// Double, or ScalarMult are fed a point not on the curve, which is undefined
-// behavior. Originally, we used to do the math on it anyway (which allows
-// invalid curve attacks) and relied on the caller and Unmarshal to avoid this
-// happening in the first place. Now, we just can't construct a nistec.P521Point
-// for an invalid pair of coordinates, because that API is safer. If we panic,
-// we risk introducing a DoS. If we return nil, we risk a panic. If we return
-// the input, ecdsa.Verify might fail open. The safest course seems to be to
-// return a valid, random point, which hopefully won't help the attacker.
-func p521RandomPoint() (x, y *big.Int) {
-	_, x, y, err := GenerateKey(P521(), rand.Reader)
-	if err != nil {
-		panic("crypto/elliptic: failed to generate random point")
-	}
-	return x, y
-}
-
-func (p521Curve) Add(x1, y1, x2, y2 *big.Int) (*big.Int, *big.Int) {
-	p1, ok := p521PointFromAffine(x1, y1)
-	if !ok {
-		return p521RandomPoint()
-	}
-	p2, ok := p521PointFromAffine(x2, y2)
-	if !ok {
-		return p521RandomPoint()
-	}
-	return p521PointToAffine(p1.Add(p1, p2))
-}
-
-func (p521Curve) Double(x1, y1 *big.Int) (*big.Int, *big.Int) {
-	p, ok := p521PointFromAffine(x1, y1)
-	if !ok {
-		return p521RandomPoint()
-	}
-	return p521PointToAffine(p.Double(p))
-}
-
-func (p521Curve) ScalarMult(Bx, By *big.Int, scalar []byte) (*big.Int, *big.Int) {
-	p, ok := p521PointFromAffine(Bx, By)
-	if !ok {
-		return p521RandomPoint()
-	}
-	return p521PointToAffine(p.ScalarMult(p, scalar))
-}
-
-func (p521Curve) ScalarBaseMult(scalar []byte) (*big.Int, *big.Int) {
-	p := nistec.NewP521Generator()
-	return p521PointToAffine(p.ScalarMult(p, scalar))
-}
-
-func bigFromDecimal(s string) *big.Int {
-	b, ok := new(big.Int).SetString(s, 10)
-	if !ok {
-		panic("invalid encoding")
-	}
-	return b
-}
-
-func bigFromHex(s string) *big.Int {
-	b, ok := new(big.Int).SetString(s, 16)
-	if !ok {
-		panic("invalid encoding")
-	}
-	return b
-}
author	Filippo Valsorda <filippo@golang.org>	2021-10-30 02:01:35 -0400
committer	Filippo Valsorda <filippo@golang.org>	2022-04-27 14:22:53 +0000
commit	83ff0b0c61c6ae99a058c851f4b0680064d46e8b (patch)
tree	4eb31aa54eb89da6e42c998705bb493c4355fbd6
parent	6796a7924c20d2c58b0cf78766b94543abfadc1b (diff)
download	go-83ff0b0c61c6ae99a058c851f4b0680064d46e8b.tar.gz go-83ff0b0c61c6ae99a058c851f4b0680064d46e8b.zip